I was just asked an interesting question by one of the higher ups in a meeting, and the idea has spread like wildfire among upper management. At any given point and time, they would like for me to be able to pull a "report" of one to many user accounts and include their current domain password. This would prevent, in their mind, an extra step of having to communicate the new (reset) password to the user when they return to their system. Part of me could potentially see value in this, but I am not even sure how one would go about doing this.

Question: How can I pull the current password for a given user from Active Directory?

Stating that its impossible, which is a blatant lie is OK? I clearly stated I think the whole idea of having a username/password list or even knowing a single users password is bad practice. I think it naive and irresponsible not to tell it how it is.

It is impossible to get a password using conventional means that are accepted and condoned by the SW community as a whole. If you know of a Microsoft or other reputable third-party utility that can give OP the correct answer, I say go for it.

As a community, we definitely DO NOT approve of the use of hacking/cracking tools and would recommend that anyone who wishes to do so to find advice/information elsewhere. That is the difference here between the Community and just any other technical forum. We help direct those that have questions to acceptable answers that conform to normal business practices, ones that we would feel comfortable using ourselves.

This question was a first-tier conceptual one, and it was a bit naive and irresponsible IMHO to jump to the 'hack and crack' solution.

55 Replies

To me that's a giant red-flag. I would not ever want anyone to have a complete list of all the passwords on my network. You should explain to management (if you can) the risks of having all of that information in one place. Scary to even think about...

As far as I know, you cannot pull an AD user's password and view it. However, you can reset the password via a script to a predefined value and set the user's account to force a password reset at first login. This way you can change everyone's password to the same thing and communicate that, but when that user logs in they will have to change it to a secure password of their choice. If your higher up have other motives in mind for actually viewing all of the passwords they may be out of luck.

Not to mention, you can't. The Active Directory password is stored in an encrypted hash, AD doesn't actually KNOW the password, just the hash. As an administrator you should have full access to all files and email to be provided as needed to management.

HR here use to require everyone to submit their passwords in a sealed envelope every time they changed their password. Once a month she'd go through her password envelopes and if the date on your envelope had expired, then you'd get a nasty email. I eventually got that to stop.

It's strongly discouraged. There are industries, such as healthcare, that require auditing for each user. If you can't guarantee that your user is logging in with their own account, there could be legal consequences as well.

The hassle of resetting the users password and forcing them to change it when they log in is for the integrity of the user's security settings and the security of the organization as a whole. I strongly encourage you to discourage your bosses from doing this

It's not possible, and strongly discouraged. There are industries, such as healthcare, that require auditing for each user. If you can't guarantee that your user is logging in with their own account, there could be legal consequences as well.

The hassle of resetting the users password and forcing them to change it when they log in is for the integrity of the user's security settings and the security of the organization as a whole. I strongly encourage you to discourage your bosses from doing this

What he said.

Just to re-iterate: This means, boss can log in as ANY user and do whatever he wants. When it comes to auditing or taking responsibility for actions, the user has no recourse for what his boss did with his account.

My boss at an old job used to have a list like this, and he logged his kid into my computer to play flash games online. I never put my password into that list after that.

I could not agree with the rest of you more... This is a horrible idea that your management group has, but why is no one admitting the fact that it IS possible to retrieve hashed passwords?

Its not super easy and its not fast.. but it is definitely doable given enough time

...this is not an appropriate place or forum to discuss hacking tools/utilities.

Anything could be done with enough time and resources, but we are giving advice for best policies and IT practices, which these tools are not really part of. Even if they were, given the circumstances, tools like this aren't really viable answers at this stage.

I could not agree with the rest of you more... This is a horrible idea that your management group has, but why is no one admitting the fact that it IS possible to retrieve hashed passwords?

Its not super easy and its not fast.. but it is definitely doable given enough time

...this is not an appropriate place or forum to discuss hacking tools/utilities.

Anything could be done with enough time and resources, but we are giving advice to best policies and IT practices, which these tools are not really part of. Given the circumstances, these tools aren't really viable answers at this stage.

Stating that its impossible, which is a blatant lie is OK? I clearly stated I think the whole idea of having a username/password list or even knowing a single users password is bad practice. I think it naive and irresponsible not to tell it how it is.

Stating that its impossible, which is a blatant lie is OK? I clearly stated I think the whole idea of having a username/password list or even knowing a single users password is bad practice. I think it naive and irresponsible not to tell it how it is.

It is impossible to get a password using conventional means that are accepted and condoned by the SW community as a whole. If you know of a Microsoft or other reputable third-party utility that can give OP the correct answer, I say go for it.

As a community, we definitely DO NOT approve of the use of hacking/cracking tools and would recommend that anyone who wishes to do so to find advice/information elsewhere. That is the difference here between the Community and just any other technical forum. We help direct those that have questions to acceptable answers that conform to normal business practices, ones that we would feel comfortable using ourselves.

This question was a first-tier conceptual one, and it was a bit naive and irresponsible IMHO to jump to the 'hack and crack' solution.

Stating that its impossible, which is a blatant lie is OK? I clearly stated I think the whole idea of having a username/password list or even knowing a single users password is bad practice. I think it naive and irresponsible not to tell it how it is.

It is impossible to get a password using conventional means that are accepted and condoned by the SW community as a whole - and that are built and maintained by the software provider, Microsoft. If you know of a Microsoft utility that can give OP the correct answer, I say go for it.

As a community, we definitely DO NOT approve of the use of hacking/cracking tools and would recommend that anyone who wishes to do so to find advice/information elsewhere. That is the difference here between the Community and just any other technical forum. We help direct those that have questions to acceptable answers that conform to normal business practices, ones that we would feel comfortable using ourselves.

This question was a first-tier conceptual one, and it was a bit naive IMHO to jump to the 'hack and crack' solution.

I completely agree. This is not a forum for "how 2 haxor ubern00bs" this is a community of IT professionals who work together using best practices and ideas to make each other's lives easier. Giving someone the tools to potentially screw their business does not help anyone. As a group we are trying to make HendersonW's life easier. We would hate to see his company go up in flames because of an unsuccessful audit because of what WE suggested.

At my last company, sharing your password or using someone elses password were grounds for dismissal.

When we got questioned by staff as to why this is, I used this as an explanation.

If I come in to find one of our servers has a virus and by looking through my auditting logs find out it was your username logged on when the virus was put on, then your getting disciplinary/sack. Dont come to me saying "but user X was logged in as me". So if you dont wanna get the sack dont do it.

I would go back to your bosses and question the logic of this idea. What overhead is it causing when a user comes in and doesnt know the password?

If it because User A needs to access User B's files while they are off, then this is file structuring issue and needs to be addressed by restructuring your files and shares.

If it is because User A needs to check User B's emails while they are off, then shared mailboxes should be setup.

Rob, calling JTR a hack and crack tool is a little naive also... Have you never used a windows password recovery CD (aka john the ripper)?
Tools such as these are also commonly used by security experts, not hackers. Indeed they are also used for malicious purpose but so are cars, golf clubs, and baby strollers.